Deep neural networks are vulnerable to adversarial attacks, and existing defenses suffer from poor generalization, reliance on pre-trained models, or task-specific data. To address this, we propose TNP, a model-agnostic adversarial purification framework based on coarse-to-fine tensor network decomposition. TNP directly reconstructs clean samples from adversarial inputs without requiring generative models, clean training data, or model gradients. Its key contributions are threefold: (i) it introduces the first model-independent tensor network purification paradigm; (ii) it relaxes the restrictive low-rank assumption and designs a novel adversarial optimization objective to suppress residual perturbations; and (iii) it supports cross-attack generalization (e.g., FGSM, PGD, CW), multiple norm constraints (L₂/L∞), and task transfer. Evaluated on CIFAR-10, CIFAR-100, and ImageNet, TNP consistently improves adversarial accuracy by 12.6%–34.1% across diverse attack settings, significantly enhancing robust generalization.

Deep neural networks are known to be vulnerable to well-designed adversarial attacks. Although numerous defense strategies have been proposed, many are tailored to the specific attacks or tasks and often fail to generalize across diverse scenarios. In this paper, we propose Tensor Network Purification (TNP), a novel model-free adversarial purification method by a specially designed tensor network decomposition algorithm. TNP depends neither on the pre-trained generative model nor the specific dataset, resulting in strong robustness across diverse adversarial scenarios. To this end, the key challenge lies in relaxing Gaussian-noise assumptions of classical decompositions and accommodating the unknown distribution of adversarial perturbations. Unlike the low-rank representation of classical decompositions, TNP aims to reconstruct the unobserved clean examples from an adversarial example. Specifically, TNP leverages progressive downsampling and introduces a novel adversarial optimization objective to address the challenge of minimizing reconstruction error but without inadvertently restoring adversarial perturbations. Extensive experiments conducted on CIFAR-10, CIFAR-100, and ImageNet demonstrate that our method generalizes effectively across various norm threats, attack types, and tasks, providing a versatile and promising adversarial purification technique.